Cyber Security and the Legal Sector

It’s commonplace to see articles and discussions about cyber security and the law, but this article is not about that.

It is about cyber security and law firms, those august institutions with their lawyers, barristers, and attorneys.

Legal firms benefit from a sort of professional halo that makes it more difficult to question their probity and their cyber security.

Yet in the light of the Panama Papers data breach of last year, the legal sector may need to do some significant catching up in terms of protecting its own assets and those of its clients.

IT has brought benefits to legal companies, but has also multiplied their risks.

Legal firms often manage not only their own data and financial resources, but those of their clients too. They handle sensitive customer data, details about company operations including mergers and acquisitions, and initiate movements of client funds, including those destined to buy other companies.

Yet they have also lagged many other sectors in terms of putting proper It security and cyber security in place. These aspects together make legal companies attractive and vulnerable to cyber criminals, a high-risk combination.

The rules for ensuring good cyber protection for legal companies are like those for other enterprises. The “need to know” principle, user information security awareness campaigns and training, and suitable system security such as antivirus, firewalls, intrusion detection and security analytics all apply for lawyers like they do for anybody else.

In the same way, legal firms must also appreciate that the data they hold may be sensitive for different reasons: not just for businesses, but also in terms of personal privacy or medical confidentiality.

The same rules and regulations apply to legal firms as to others, and so do fines imposed for non-compliance or negligence, whether an incident has occurred or not.

The legal sector is something of a special case, because of its professional activities. But it must observe the same minimum standards of cybersecurity and data privacy as any other area of industry.